Cyber Threats Escalate as Banks Go Paperless

In late March, South Korean banks were targeted in the most pervasive cyberattack yet for a financial system.

Some 32,000 computer systems across three large institutions were left paralyzed after hackers infected the banks with malware—a generic term for the various ways your PC can be infected, compromised, and crippled. ATMs were frozen, and files were erased.

Within hours, though, came the good news: The systems were back. And no customer accounts had been compromised.

A reassuring announcement, but one that's come all too frequently as the number of cyberattacks has risen. Websites for five U.S. banks have been struck in the last month (among them JPMorgan Chase, Wells Fargo, TD Ameritrade, and others), with 13 targeted—some repeatedly since the first public wave in September. It's left more customers asking that very question: With the rising threat of a hack, is my money safe?

"There are many ways your personal information becomes vulnerable," said Doug Johnson, vice president for risk management policy at the American Bankers Association. "The duty is to protect the environment as much as we can."

The problem is that the environment is in flux.

As banks look to cut costs,they're moving toward completely paperless branches. The move would save back-office costs for the company and resources from the environment.

And executives like Jonathan Velline, head of ATM, banking and store strategy at Wells Fargo, noted going paperless might even be safer than using paper.

Take the simple action of cashing a check. You give it to the bank teller, who scans it into the system, authorizes the funds and puts it in a stack. Then they physically route the check to the nearest processing center, or (for checks coming from other banks) to the nearest regional Federal Reserve, to swap it with that institution. The logic: The more human processes, the more room for error.

"On the whole, going paperless is not more dangerous," said Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit. "Right now, in this transition period, mobile devices are fairly hazardous."

Consumers are flocking to mobile devices in droves for the convenience of banking on-the-go, often without the education of how to protect their own device. Encouraging the practice is economically attractive for banks, too: Servicing a mobile transaction costs $0.08 on average, while servicing an in-store transaction is $4.25, according to Diebold, a bank transaction specialist.

"There is a serious danger that people have a device on their mobile phone that's stealing their information in other ways," said Borg.

Institutions must report suspicious activity with Treasury's Financial Crimes Enforcement Network, and a source said that the agency's May data release is expected to show a sharp rise in reported cyberattacks by U.S. financial institutions.

News of those attacks last year would have been kept behind closed doors, until President Obama signed an executive order the day of the State of the Union address urging disclosure and transparency.

"Businesses didn't want their systems to appear weak," according to one government official. "Now they know everyone is in the same boat."

The result has been a double-edged sword: It reminds consumers to be prudent, but also puts them on alert as to how much hacking actually happens.

"It's a daily occurrence," said the ABA's Johnson. "Larger institutions recognize that they have to be prepared perpetually for a financial attack." (For instance, one bank executive sees in excess of 100,000 attempts to disrupt the company's system each day, although the vast majority of those can be thwarted by the simplest of deterrents such as basic firewalls.)

The most common type involves denial-of-service, where parties seek to flood the infrastructure of a website or system in order to crash it: A cyber traffic jam. This type of attack has occurred for more than a decade and led to the creation of corporate firewalls.

The more vicious attack happens when the company's firewall gets breached, thereby allowing intruders access to sensitive documents and accounts. The success of these cases, of late, is rare.

But even if an attack doesn't breach the firewall, its implications for customer in the mobile age can be serious. On Feb. 1, Bank of America suffered a denial-of-service shutdown on its website and mobile devices.

The number one complaint from customers, including Molly Malloy of California: "It's the first of the month, and I can't pay my bills."